RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)

["David Cross" <dcross@xxxxxxxxxxxxx>]

Mike:

Yes, exactly, if I understand your statement correctly.  With network
replication and bandwidth limitations, the goal of many SHOULD be to
issue a base CRL less frequently with a longer validity and more
delta-CRLs with increased frequency and shorter validity.  This in my
mind is the orignal intent and ideal scenario for delta-CRL usage.  

Having a goal of making identical revocation status information to both
delta-aware and non delta-aware clients may be noble, but invariably
detracts from the ideal scenario described above.  If all CA vendors
would be compliant in issuing both, this would surely hurt
implementations and deployments due to the negative consequences to an
infrastructure.

 
David B. Cross
 



-----Original Message-----
From: Michael Myers [mailto:myers@xxxxxxxxxxxxx] 


Dave,

Recognizing broader enterprise issues, somwhere there's nonetheless a
middle ground where the mandatory practice of a full CRL complements the
optional practice of issuing deltas.  The period of the former MAY,
perhaps SHOULD, be longer than the latter in the presence of the delta
practice.  Your thoughts?

Mike



> -----Original Message-----
> From: David Cross [mailto:dcross@xxxxxxxxxxxxx]
>
>
> It may not be a burden to a CA, but it very well likely may be burden 
> for the underlying replication and distribution architecture to push a

> full CRL every time a delta-CRL is issued.  It is the bigger picture 
> of the issue outside of the CA and PKI aspects.
>
>
> David B. Cross
>